Security Metrics Management: How to Manage the Costs of an Assets Protection Program
Metrics can be created for virtually every security effort, the authors show. For the purposes of this book, they divide security metrics management into administrative security, physical security, and operations security.
***** Security Metrics Management: How to Manage the Costs of an Assets Protection Program. By Gerald L. Kovacich and Edward P. Halibozek; published by Elsevier Butterworth-Heinemann; available from ASIS, Item #1673, 703/519-6200 (phone), www.asisonline.org (Web); 352 pages; $60 (ASIS members), $66 (nonmembers).
They may not be Gilbert and Sullivan or Woodward and Bernstein, but authors Gerald Kovacich and Edward P. Halibozek are becoming prolific collaborators in their own right. In their latest partnership, Kovacich and Halibozek take on security metrics management, which centers on managing the costs of an asset-protection program and showing a return on investment (ROI) of security expenditures. Given that security departments are often asked to justify their existence through cost-effectiveness, this may be one of the most important security texts to emerge in recent years.
The authors reduce protection programs to their most basic components, forcing security professionals to determine the validity of these components in terms of hard numbers. The exercise is worth the effort.
Metrics can be created for virtually every security effort, the authors show. For the purposes of this book, they divide security metrics management into administrative security, physical security, and operations security. These broad topics are further subdivided into areas such as information, personnel, education and awareness, compliance audits, and contingency planning, to name just a few examples.
A fictional company is used to provide concrete examples of the methods explained. For example, one exercise shows how a company might survey threats to its assets around the world and conduct appropriate risk management by diagramming “threat agents” and those agents’ capabilities, motivations, inhibitors, and “amplifiers.” If the threat agent is a nation-state, the organization can put together a table of factors such as adult population, level of literacy, telecom infrastructure, and so on, then adjust those factors accordingly in terms of motivators, amplifiers, and other elements. The result is a group of numbers that quantify the risks posed to overseas assets and help security tailor a security budget to those threats.
Throughout, plenty of examples are presented on how various types of information can be displayed, such as via graphs, flowcharts, and survey checklists. The sheer amount of data presented can be overwhelming.
That profusion of data underscores one of the few problems with this book. With this data and chart overload, it’s easy to get caught up in the measurement mania and lose sight of why you are measuring security in the first place.
Other faults are irritating if not debilitating: acronyms abound (SMMP, LOE, CAPP, to name only three), sentence structure sometimes detracts from the message, and in some examples, there is no detail between the introduction of a concept and the presentation of measurement results. For example, a confusing case study on Six Sigma does not provide specific details on how results were achieved.
Aside from these quibbles, Kovacich and Halibozek deserve to be congratulated on their effort. This could be a powerful tool for security professionals setting out to design cost-effective programs.
Reviewer: Glen Kitteringham, CPP, who holds a master’s degree in security and crime risk management from the University of Leicester, has worked in the security industry since 1990. He currently oversees security for several commercial high-rise properties, with a combined area of more than 8.5 million square feet. He is a member of both the ASIS International Commercial Real Estate Council and Business Practices Council.